2018-05-16

GDPR

I am not planning to say a lot here at this stage, but I suspect people would be rather surprised if I did not comment a little on GDPR. I remind you all I am not a lawyer. I'll try to cover the basics...

Is this a big change?

You would be forgiven for thinking it is. To be honest, I think for the most part the basic principles have not changes a lot, and if you were "doing it right" before, you are probably "doing it right" now. There are changes, yes, but it seems to me that the biggest change is around "accountability". Under GDPR you are expected to have a lot more processes in place, and be able to show that. Before, if you did things right you may have more easily got away without all of the paperwork to prove that was the case, but GDPR puts a lot of onus on the paperwork and accountability... GDPR also has big fines which is what is actually making people jump!

"Consent" has changed...

As a basis for processing personal data the use of "consent" has changed, in rather odd ways. For a start it has to be "freely given" so cannot be in exchange for some service, which is interesting. But also it has to be revokable. Some of the rules on proving you got consent (i.e. not default pre-ticked boxes) have changed a bit too. And of course the accountability to show you actually got consent is clearer now.

The upshot of this, and paraphrasing the advice from our lawyer, is that anyone relying on "consent" as the basis for processing, is crazy.

I know I am seen as speaking for A&A here on my blog in spite of my caveats on the matter, so to be clear, A&A do not use "consent" as the basis for processing. It is far too difficult, and fragile a basis for doing anything really. Why would we - you can withdraw it at any time...

Extra rights

Not that many to be honest, you had loads of rights before, but maybe a few more now. One thing is that subject access requests are to be free. This is likely to be a pain for many companies.

Once again, with an A&A hat on, pretty much everything we have on you is available on the web pages now (accounts or control pages), and indeed, I expect some level of "full SAR" to be in there soon anyway, depending on if anyone starts asking for lots of data. I'd rather people do not go mad on 25th asking for data, to be honest, as basically we are not the bad guys here hoarding loads of personal data on people, and never have been. A lot of replies will be referencing the data you can access anyway. That is not to say we won't welcome suggestions and feedback on this all.

Privacy at the core of the business

This is where A&A are a bit different, and I had a long chat with out company lawyer on this the other day. Obviously we have been working on this for months, but he was impressed how we do take privacy seriously at every level as a matter of course really. It has made his job a bit easier as basically we are not changing what we do, but doing the paperwork to document what we do and so on. Not only is the company simply not in the "business" of selling / processing personal data in the first place, but we have myself and key staff on the case every day challenging everything we do, or consider doing, from a privacy standpoint.

Some changes at A&A

To be honest, the whole process has meant we are looking more closely at some aspects of what we do, and so some things like the way we identify customers that call/irc/email/etc may be tightened up a bit. We need the right compromises of helpful and secure. We did a lot of this last year with controls over levels of security on accounts and two factor authentication so as to give our customers a choice of the level of security (or paranoia) they felt was needed for their data. That was all done before we even really considered GDPR, just how we work and how we can be better at privacy!

But obviously we welcome feedback, if you feel we are too strict or not strict enough on verifying you as a customer, please do tell us. The whole process here is a lot about learning the right balance to ensure people have the right level or privacy and convenience.

OK, the real reason to read this - those annoying emails to re-conform consent!

We have all had them, heck they are filling the inbox for us all - asking to reconfirm "consent" before 25th May.

I don't know what to say to be honest. I do not think a single one of these emails is from someone that I actually gave consent to in the first place!!!

We've had them sent to mailerdaemon@somedomain at the office, clearly not an email address anyone used or consented to marketing (or any other) emails to.

The only light at the end of the tunnel is that, if we are lucky, all of these muppets delete us from their mailing lists for fear of fines related to GDPR.

But, really, none of them should have us on the mailing list anyway under existing privacy and data protection laws, FFS! If only the ICO had enforced the laws we had, this would have not been an issue, IMHO.

If you have a lawful basis to have someone's details and send them email, GDPR does not really take that away, and so you do not need these stupid emails asking to re-consent.

Anyone considering sending such emails over the next week or so - talk to someone that understands GDPR properly, i.e. @neil_neilzone

26 comments:

"I don't know what to say to be honest. I do not think a single one of these emails is from someone that I actually gave consent to in the first place!!!"

Surely that's the point - they are hoping you'll miss the ones that you never consented to in the first place and click the "It's OK to continue sending me crap" button thus legitimising their sending you crap.

Not really: it works perfectly fine for a newsletter-type mailing list... if people consent to receiving the mailing list, they get the emails; if they withdraw their consent, they stop getting the emails. Much more than that does get tricky though :)

"If you have a lawful basis to have someone's details and send them email, GDPR does not really take that away, and so you do not need these stupid emails asking to re-consent."

Unfortunately that's not true, though: if your lawful basis under GDPR is "consent", GDPR now requires you to keep records of exactly when and how the consent was obtained, and also the information supplied at the time consent was given. So it's quite possible you have legitimately obtained consent in the past, but did not keep records of exactly when and how the consent was given (e.g. you just added the email to a suitable mailing list). That is no doubt what those people asking mailerdaemon for consent will claim happened with them :)

1.) if other lawful bases are available, consent is unlikely to be the one that a wise controller would pick. However, the other purported stalwart, "legitimate interests", is also far from perfect, given the inherent balancing act and the right to object;

2.) purported reliance on consent when the processing is, in fact, necessary to perform a contract with the data subject is misguided; and

3.) while the GDPR does not require everyone to go out and re-collect consent, there are, as you say, edge cases in which a "re-consenting" email may be sensible, including a lack of evidence which would permit you to demonstrate consent (although this has caused problems all along, if it got into ICO investigation territory). However, quite a few organisations seem to be confused as to when they require consent for the sending of communications, over-extending or simply forgetting about regulation 22 of PECR.

It's true that you get to choose the basis that's most appropriate to your organisation. But unfortunately "to provide a service" isn't a legal basis under GDPR - the closest basis is "contract", and in some circumstances it may be difficult and/or undesirable to argue that a contract exists.

For instance, a charity may send a newsletter to people who donate to it (because some people are just interested and/or like to know where their donations go); clearly they only want to send it to people who want it, because there's no point annoying people who donate money to you! So you already have to let people opt in/opt out later in any case.

Now, you *could* say that sending the newsletter is a service provided (optionally) in exchange for the donation, and that a contract exists for this... and (as far as I know) that would be 100% legal.

The issue is that then this falls foul of HMRC's rules for Gift Aid - because for that, donations can't be in exchange for something - so the charity misses out on a potential extra 20% on top of its income... and they'd have to be crazy to do that :)

It's worth bearing in mind that a "charity newsletter" might well amount to a communication sent for the purpose of direct marketing. If it is sent by email to an individual subscriber, regulation 22 of PECR will require consent if the "soft opt-in" requirements cannot be met (which are challenging for charities).

Art 6.1(b) specifically mentions a contract. The trouble with a free service is that there's no consideration on one side - so it's hard to argue that any contract exists. And if you try to introduce something artificial ("we send you the newsletter in exchange for you ticking this box, and it's nothing to do with the monetary payment you're making at exactly the same time"), then that's likely to look like fraud to avoid the gift aid rules, at least to HMRC's eyes...

(And besides, as Neil mentions, there are other reasons why using "consent" may be required / convenient.)

I had one from Ely Cathedral asking me to reconfirm for a concert mailing list I really want to be on (and which of course I already gave explicit consent for, so the email was useless). But the link they gave points to a page that wants to add me as a *new member* of the list, which of course I can't do because I'm already a member -- until they delete me on the 25th for not following the link.

Maybe they'll notice something is wrong when the 25th passes by and their automated job deletes every member of their concert mailing list -- but this is not a tech company, this is a *cathedral*, so frankly I doubt it.

My financial adviser sent me one of these re-consent emails, with dire warnings stating that if I did not consent it would be very difficult for him to continue as my financial adviser. Sigh. I contracted him to provide services as my finanicial adviser, how much more consent than that can he possibly need?

I signed a contract with him, on actual paper with my physical signature. It is dated and everything, and we both have copies. I really don't understand why any more consent than that is required, it is utter madness to require more. Would signing in blood have helped perhaps?

You have lost me completely now, I cannot parse what you wrote. The contract I signed specifically says I consent to him holding and processing my personal data for the purposes of providing financial advice. Why is that not good enough for GDPR? Or does it explicitly forbid consent given in a contract and only allow it outside of a contract? Which would be another form of madness!

I think Neil is trying explain GDPR. There are many distinct lawful basis for processing data. So which is it in this case. I.e. what is he actually doing, and what classification does that mean it comes under. If what he is actually doing is processing data as necessary for the performance of the contract, then that "processing data as necessary for the performance of a contract" is the basis on which he is processing it. He is not processing data because you gave consent - that is not why he processes data. Yes you can "give him consent" but there is not point in him asking or you giving as that is not why he is processing data so not something he needs to rely on to do that. I think.

Plus, trying to get consent by way of a contractual term is highly questionable, by virtue of Article 7(2):

"If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding."

My consent was never freely given to any of these people, I'd rather they hold nothing on me, but under the old system I had no choice but to give banks and building societies freedom to share my data with them.

I have no direct contractual relationships with any of these companies so they don't have to process my data as part of any service they provide me.

Surely they cannot be allowed to do it by virtue of their contracts with banks, building societies, as otherwise if I have a contract with my friend to process your data, I can.

I wonder what the response would be if, on the 25th, I demanded they delete all their data on me....

Your bank processes your personal data because it is necessary for them to do that in order to provide you with the services you've asked them to provide (e.g. a bank account).

One of the ways they process this data is to share it with third party companies in order to try to mitigate against fraud and to help ensure that they only offer you products and services that are appropriate for your financial circumstances.

Ok, that could be true if the data is used only for the purposes of preventing fraud and delivering the banks’ services. But what then about Experian, ClearScore and other companies like that advertising on TV that I should pay for their services myself to check my credit score? Looks like pure spam to me. In fact it’s worse than spam because they’re trying to gain power over me by holding data that could affect my life, and then they’re trying to make me feel anxious about what the data is so that I buy their services to view the data. Hopefully those companies will be inundated with subject access requests from people wanting to see the data without paying for it.

Also what about all the data in the Whois registry? Stalkers paradise, thst thing.

While I get that my bank can process my data in order to perform their contract with me, passing that data to someone else who then processes it and passes it to other interested parties, and produce larger datasets from it, seems wrong.

And these companies are unreliable (see Equifax breaches) and a law unto themselves.

Synetics Solutions simply keep a record of applications and a boolean "was fraud suspected". Because of an entry on their database I had car insurance declined. After several Subject Access Requests, I discovered that my bank Nationwide had entered this. They cannot have been particularly concerned as they gave me a mortgage a few months later, but after a massive complaints process they eventually told me it was accurate as when applying for a loan I had provided inconsistent data, in that I'd used a different name for my employer.

I had to evidence that the two names were the same entity, one the legal name of the Ltd company, and one their commonly used "trading as" name. I had to get a letter from the director, and show evidence from FoI requests to government departments where they were a supplier listed as "abc ltd t/a xyz".

In the end the fraud allegation was removed from Synetics Solution's database, but I still have to declare that I have had car insurance declined, which significantly affects my premiums. I've been to the FOS about this, to no avail.

These agencies are evil, a law unto themselves, and serve no useful purpose.

Everything I write here is just my honest opinion and not a statement by my employer, etc, you get the idea. If you find any words or pictures menacing or offensive, or likely to impair your computer, or alarming or distressing, stop reading now and don't come back (and don't forget to block me on social media too). Nothing here is legal advice. Everything on this blog is without prejudice, just in case. Comments are moderated so do not appear instantly. You take responsibility for any comments you post. Always bookmark www.me.uk as I may change the URL blogger sees.

And please, if you don't like what I post, say so - comment - discuss...